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Abstract 

Parametric  representations  used  for  symbolic  simulation  of  circuits  usually  use 
BDDs.  After  a  few  steps  of  symbolic  simulation,  state  set  representation  is 
converted  from  one  parametric  representation  to  another  smaller  representation, 
in  a  process  called  reparameterization.  For  large  circuits,  the  reparametrization 
step  often  results  in  a  blowup  of  BDDs  and  is  expensive  due  to  a  large  number 
of  quantifications  of  input  variables  involved.  Efficient  SAT  solvers  have  been 
applied  successfully  for  many  verification  problems.  This  paper  presents  a  novel 
SAT-based  reparameterization  algorithm  that  is  largely  immune  to  the  large 
number  of  input  variables  that  need  to  be  quantified.  We  show  experimental 
results  on  large  industrial  circuits  and  compare  our  new  algorithm  to  both  SAT- 
based  Bounded  Model  Checking  and  BDD-based  symbolic  simulation.  We  were 
able  to  achieve  on  average  3x  improvement  in  time  and  space  over  BMC  and  able 
to  complete  many  examples  that  BDD-based  approach  could  not  even  finish. 


1  Introduction 


Symbolic  simulation  is  a  widely  applied  technique  for  analysis  of  complex  tran¬ 
sition  systems  and  synchronous  circuits  in  particular.  In  symbolic  simulation, 
the  transition  relation  is  unwound  m  times  into  an  equation  that  represents  the 
set  of  states  that  is  reachable  in  exactly  m  steps.  The  simulator  keeps  separate 
equations  for  each  state  variable.  They  are  parameterized  in  the  initial  state 
and  the  inputs  of  the  circuit.  Thus,  the  set  of  states  is  stored  in  a  parametric 
representation. 

An  efficient  way  to  store  and  manipulate  this  parametric  representation  of 
the  set  of  states  is  crucial  for  the  performance  of  the  algorithm.  Such  a  rep¬ 
resentation  describes  a  set  of  states  as  a  vector  (/i,  /2, . . .  ,  fn)  of  functions  in 
parameters  P  =  {pi,p2,  •  ■  •  7Pm}-  Each  parametric  function  gives  the  value  of 
one  state  variable.  For  example,  the  set  of  states  S  =  {10,01}  is  represented 
parametrically  as  (pi,  ~<pi).  In  this  case,  there  is  only  one  parameter  p\. 

Most  implementations  use  BDDs  [Bry86]  to  represent  these  functions  [CM90, 
Jon99,  AJS99,  Goe03,  GB03,  YS02],  These  BDDs  may  grow  exponentially  in 
the  number  of  simulation  steps,  as  the  number  of  variables  grows.  In  order  to 
address  this  problem,  symbolic  simulators  compute  a  new,  equivalent  paramet¬ 
ric  representation.  The  new  representation  can  be  significantly  smaller  since  it 
usually  requires  fewer  variables.  This  step  is  done  as  soon  as  one  of  the  BDDs 
becomes  too  large.  The  process  of  converting  one  parametric  representation  to 
another  is  called  reparameterization.  In  [CM90]  and  [Jon99],  the  reparameteri¬ 
zation  algorithm  first  converts  the  parametric  representation  into  characteristic 
function  form  and  then  parameterizes  this  form.  In  [Goe03],  an  algorithm  is 
given  for  computing  set  union  in  parametric  form.  Algorithms  for  reparameter¬ 
ization  and  quantification  are  given  that  are  based  on  this  set  union  algorithm. 
However,  the  reparameterization  is  done  using  BDDs,  hence  as  the  number  of 
simulation  steps  grows,  the  algorithm  quickly  becomes  very  expensive.  This  is 
due  to  the  fact  that  each  simulation  step  introduces  more  input  variables,  which 
need  to  be  quantified  during  reparameterization. 

Contribution  We  describe  a  SAT-based  algorithm  to  perform  the  reparam¬ 
eterization  step  for  symbolic  simulation.  The  algorithm  performs  better  than 
BDD-based  reparameterization  especially  in  the  presence  of  many  input  vari¬ 
ables.  The  algorithm  takes  arbitrary  Boolean  equations  as  input.  Therefore, 
it  does  not  require  BDDs  for  the  symbolic  simulation.  Instead,  non-canonical 
forms  that  grow  linearly  with  the  number  of  simulation  steps  can  be  used. 

In  essence,  the  SAT-based  reparameterization  algorithm  computes  a  new 
parametric  function  for  each  state  variable  one  at  a  time.  In  each  computation, 
a  large  number  of  input  variables  are  quantified  by  a  single  call  to  a  SAT-based 
enumeration  procedure  [McM02,  CCK03].  The  advantage  of  this  approach  is 
twofold:  First,  all  input  variables  are  quantified  at  the  same  time,  and  second, 
the  performance  of  SAT-based  enumeration  procedure  is  largely  unaffected  by 
the  number  of  input  variables  that  are  quantified. 

We  demonstrate  the  efficiency  of  this  new  technique  using  large  industrial 
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circuits  with  thousands  of  latches.  We  compare  it  to  both  SAT-based  Bounded 
Model  Checking  and  BDD-based  symbolic  simulation.  Our  new  algorithm  can 
go  much  deeper  than  a  standard  Bounded  Model  Checker  can.  Moreover,  the 
overall  memory  consumption  and  the  run  times  are,  on  average,  3  times  less 
than  the  values  measured  using  a  Bounded  Model  Checker.  The  BDD-based 
symbolic  simulator  could  not  even  verify  most  of  the  circuits  that  we  used. 

Other  Techniques  Model  checking  [CGPOO,  CE81]  techniques  suffer  from 
the  state  explosion  problem.  In  case  of  BDD-based  symbolic  model  check¬ 
ing  this  problem  manifests  itself  in  the  form  of  unmanageably  large  BDDs 
[BCM+92].  This  problem  is  partly  addressed  by  a  formal  verification  tech¬ 
nique  called  Bounded  Model  Checking  (BMC)  [BCC+99,  BCCZ99].  In  BMC, 
the  transition  relation  for  a  complex  circuit  and  its  specification  are  jointly  un¬ 
wound  to  obtain  a  Boolean  formula,  which  is  then  checked  for  satisfiability  by 
using  a  SAT  procedure  such  as  GRASP  [SS96]  or  Chaff  [MMZ+01].  If  the  for¬ 
mula  is  satisfiable,  a  counterexample  can  be  extracted  from  the  output  of  the 
SAT  procedure.  If  the  formula  is  not  satisfiable,  the  circuit  and  its  specification 
can  be  unwound  more  to  determine  if  a  longer  counterexample  exists.  This 
process  terminates  when  the  length  of  the  potential  counterexample  exceeds  its 
completeness  threshold  (i.e.,  is  sufficiently  long  to  ensure  that  no  counterex¬ 
ample  exists  [KS03])  or  when  the  SAT  procedure  exceeds  its  time  or  memory 
bounds.  BMC  has  been  used  successfully  to  find  subtle  errors  in  very  large 
circuits  [ShtOO,  CFF+01]. 

In  BMC,  the  size  of  the  SAT  instance  grows  linearly  with  the  unwinding 
depth.  However,  for  very  large  circuits,  even  linear  growth  can  be  prohibitive: 
Either  the  formula  already  exceeds  the  memory  limits,  or  the  SAT  instance  is 
too  hard  for  the  SAT  solver.  No  attempt  is  made  to  reduce  the  size  of  the 
representation. 

BMC  is  not  at  all  effective  for  showing  that  a  property  is  true  unless  m 
exceeds  the  completeness  threshold  for  the  design  and  the  property.  Since  this 
completeness  threshold  is,  in  most  cases,  prohibitively  large,  several  extensions 
to  BMC  have  been  proposed  in  order  to  detect  the  absence  of  counterexamples: 

1.  In  the  counterexample  guided  abstraction  refinement  framework  (CE- 
GAR)  [CGJ+00,  CCS+02],  model  checking  is  performed  on  a  safe  ab¬ 
straction  of  the  model.  Thus,  if  the  property  holds  on  the  abstract  model, 
it  also  holds  on  the  concrete  model.  If  this  is  not  so,  an  abstract  counterex¬ 
ample  is  obtained  from  the  model  checker.  This  abstract  counterexample 
is  then  used  to  constrain  the  states  in  a  Bounded  Model  Checking  SAT 
instance.  If  the  constrained  BMC  SAT  instance  is  satisfiable,  the  abstract 
counterexample  can  be  simulated  on  the  concrete  model  and  a  bug  is 
found.  If  not,  the  abstraction  is  refined  using  various  heuristics. 

2.  In  [MA03],  this  framework  is  changed  as  follows:  An  abstract  counterex¬ 
ample  is  no  longer  obtained.  The  only  information  of  interest  is  the  length 
m  of  the  abstract  counterexample.  This  length  m  is  then  used  as  the 
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bound  for  a  normal,  unconstrained  BMC  instance.  If  the  BMC  instance 
is  satisfiable,  a  bug  is  found.  If  this  is  not  the  case,  information  from  the 
SAT  solver  is  used  to  generate  the  next  abstract  model. 

3.  In  [McM03],  a  new  framework  is  introduced:  The  algorithm  initially  per¬ 
forms  Bounded  Model  Checking  for  some  m  steps  in  order  to  refute  the 
property.  If  this  fails,  the  proof  of  unsatisfiability  extracted  from  the  SAT 
solver  is  used  to  simplify  a  fixed-point  computation.  The  purpose  of  the 
fixed-point  computation  is  to  detect  the  case  when  the  property  actually 
holds.  This  may  fail,  and  if  so,  the  algorithm  is  repeated  with  an  increased 
value  of  m. 

All  three  approaches  therefore  solely  rely  on  Bounded  Model  Checking  to  refute 
the  property.  The  extensions  are  used  to  detect  the  case  that  the  property  is 
true.  We  briefly  describe  how  our  algorithm  can  be  used  within  these  frameworks 
as  a  replacement  for  SAT-based  BMC. 

Outline  In  section  2,  we  briefly  introduce  the  basics  of  Bounded  Model  Check¬ 
ing  and  modern  SAT  algorithms.  We  also  describe  how  the  basic  SAT  algorithm 
can  be  extended  in  order  to  obtain  the  set  of  satisfying  assignments  instead  of 
just  one  satisfying  assignment.  In  section  3,  we  provide  background  information 
about  the  parametric  representation  as  present  in  the  literature.  In  section  4,  we 
explain  our  contribution,  i.e.,  how  to  implement  reparameterization  using  SAT. 
In  section  6,  we  present  experimental  results  to  demonstrate  the  effectiveness  of 
the  idea.  In  section  7,  we  show  how  it  can  be  used  in  a  number  of  verification 
frameworks  as  a  replacement  for  Bounded  Model  Checking.  We  present  a  proof 
of  correctness  of  our  algorithm  in  section  8. 

Notations  and  Conventions 

We  will  use  the  following  notations  and  conventions  throughout  the  paper.  Sets 
will  be  denoted  by  capital  letters,  as  in  S  for  the  set  of  states,  V  for  the  set  of 
state  variables,  Im  for  the  set  of  input  variables,  and  P  for  the  set  of  parametric 
variables.  We  use  a  superscript  of  m  for  input  variables  to  denote  input  variables 
accumulated  over  m  steps  of  symbolic  simulation.  An  ordered  tuple  of  lower 
case  letters  denotes  a  vector  of  variables.  For  example,  the  state  variable  vector 
with  n  state  variables  is  (i>i,U2, ...  ,vn).  The  vector  is  denoted  by  using  a 
bar  over  the  symbol.  For  example,  a  state  vector  will  be  denoted  by  v  or  in 
full  form  by  (i>i,U2,  ,vn).  A  particular  parametric  assignment  is  given  by 

p  =  (pi,p2, . . .  , Pm) •  The  set  of  all  possible  2n  vectors  of  n  state  variables  is 
Sn,  the  set  of  all  possible  2m  assignments  to  m  parameters  is  Vm,  and  the  set 
of  all  possible  input  vectors  is  >Vm.  Other  uppercase  calligraphic  letters  denote 
subsets  of  these  sets.  When  the  number  of  components  in  a  vector  is  clear,  we 
will  often  drop  the  subscripts,  and  just  use  S,V,  and  so  on.  Functions  will  be 
denoted  by  lower  case  symbols,  e.g.,  /(/m).  In  the  brackets  after  a  function 
symbol,  the  list  of  variables  on  which  the  function  depends  (the  support  set)  is 
given,  e.g.,  hj(pi,p2, . . .  ,Pi).  The  value  of  a  function  for  a  particular  assignment 
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to  its  support  variables  is  given  as  hj(pi,p2,  •  •  ■  ,Pi)  or  in  short  h\(p).  A  vector 
of  functions  will  be  denoted  by  a  bar  over  the  top  of  the  function  symbol.  For 
example,  a  vector  of  parametric  functions  is  h(P)  =  (hi(P),  Ji2(P), . . .  ,  hn(P)). 
The  symbols  a  and  j3  will  denote  the  constants  0  or  1. 

2  SAT 

2.1  Introduction 

The  enabling  technique  for  Bounded  Model  Checking  is  satisfiability  solving 
(SAT).  A  SAT  solvers  reads  a  formula  in  conjunctive  normal  form  (CNF)  and 
finds  a  satisfying  assignment  if  there  is  any.  If  not,  the  solver  returns  that  the  for¬ 
mula  is  unsatisfiable.  SAT  solving  is  one  of  the  classical  NP-complete  problems. 
Over  the  last  4  years,  propositional  SAT  checkers  have  demonstrated  tremen¬ 
dous  success  on  various  classes  of  SAT  formulas.  The  key  to  the  effectiveness 
of  SAT  checkers  like  GRASP  [SS96]  and  Chaff  [MMZ+01],  is  non-chronological 
backtracking,  efficient  conflict  driven  learning  of  conflict  clauses,  and  improved 
decision  heuristics. 

The  efficiency  of  SAT  procedures  has  made  it  possible  to  handle  circuits  with 
thousands  of  state  variables,  much  larger  than  any  BDD-based  model  checker 
is  able  to  do  at  present. 


while (1)  { 

if  (decide_next_branch() )  { 

while  (deduce ()  ==  conflict)  { 
blevel  =  analyse_conf lict 0 ; 
if  (blevel  ==  0) 
return  UNSAT ; 
else 

backtrack(blevel) ; 


> 

> 

else 

return  SAT ; 

} 


/ /  Branching 

//  Propagate  implications 
/ /  Learning 


//  Non-chronological 
//  backtrack 

//no  branch  means  all  vars 
//  have  been  assigned 


Figure  1:  Basic  DPLL  backtracking  search  (used  from  [MMZ+01]  for  illustration 
purposes) 

The  basic  framework  for  these  SAT  procedures,  shown  in  Figure  1,  is  based 
on  Davis-Putnam-Longeman-Loveland  (DPLL)  backtracking  search.  The  func¬ 
tion  decide_next_branch()  chooses  the  branching  variable  at  current  decision 
level.  The  function  deduce!)  does  Boolean  constraint  propagation  to  deduce 
further  assignments.  In  the  process  it  might  infer  that  the  present  set  of  assign- 
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ments  to  variables  does  not  lead  to  any  satisfying  solution.  This  is  a  conflict , 
since  at  least  one  CNF  clause  remains  unsatisfied.  In  case  of  a  conflict,  new 
clauses  are  learned  by  analyze_conf lict  ()  that  prevent  the  same  unsuccess¬ 
ful  search  in  the  future.  The  conflict  analysis  also  returns  a  variable  for  which 
the  other  value  should  be  tried.  This  variable  may  not  be  the  most  recent 
variable  decided,  leading  to  a  non- chronological  backtrack.  If  all  variables  have 
been  decided,  then  a  satisfying  assignment  has  been  found  and  the  procedure 
returns.  The  strength  of  various  SAT  checkers  lies  in  their  implementation  of 
constraint  propagation,  non-chronological  backtracking,  decision  heuristics,  and 
learning.  In  our  algorithm,  we  use  the  Chaff  SAT  checker  [MMZ+01],  as  it  has 
been  demonstrated  to  be  one  of  the  most  powerful  SAT  checker  on  a  wide  class 
of  problems. 

2.2  Obtaining  the  Set  of  Satisfying  Assignments 

Recently,  SAT  solvers  have  been  used  to  obtain  the  set  of  satisfying  assignments 
or  a  projection  thereof  to  a  subset  of  the  variables  for  a  Boolean  formula.  This 
is  also  used  for  the  proposed  reparametrization  algorithm. 

Obtaining  a  projection  of  the  set  of  satisfiable  assignments  to  a  subset  of  the 
variables  corresponds  to  a  Boolean  quantification.  The  algorithm  in  [McM02] 
computes  a  CNF  equivalent  formula  to  a  Boolean  formula  f(X ,  Y)  and  then  uni¬ 
versally  quantifies  the  X  variables.  Mathematically,  it  computes  VX.f(X,Y)  in 
clausal  form  (CNF).  Similarly,  in  our  previous  paper,  we  compute  3X.f(X,Y) 
in  DNF  by  enumerating  various  assignments  to  the  X  variables.  These  enu¬ 
meration  procedures  have  many  applications.  For  example,  they  are  used  in 
image  computation  [McM02,  CCK03,  KP03]  in  Model  Checking,  or  for  deciding 
satisfiability  of  QBF  [PBZ03].  These  applications  obtain  the  desired  set  by  enu¬ 
meration.  The  SAT  solver  starts  by  searching  for  a  satisfying  assignment.  If  a 
satisfying  assignment  is  found  (this  corresponds  to  the  return  SAT  case  in  Fig¬ 
ure  1),  the  partial  assignment  is  recorded  and  then  added  as  a  blocking  clause. 
Instead  of  terminating,  the  algorithm  backtracks  and  continues  to  search  for  the 
next  satisfying  assignment  until  no  more  assignments  are  found. 

In  order  to  speed  up  enumeration  of  satisfying  assignments,  the  algorithms 
enlarge  the  partial  assignment  before  adding  the  blocking  clause.  There  are 
many  ways  to  do  this:  In  [McM02],  the  conflict  graph  is  analyzed  in  order  to 
enlarge  the  assignment.  In  [CCK03],  symbolic  simulation  techniques  are  used. 
Moreover,  storage  of  the  enumerated  clauses  or  cubes  is  crucial  to  the  efficiency 
of  the  algorithm.  In  [McM02],  zBDDs  are  used  for  storing  enumerated  CNF 
clauses,  while  we  use  a  hashing  scheme  in  [CCK03].  In  [LBC03],  the  implemen¬ 
tation  from  [CCK03]  was  compared  against  BDD-based  quantification.  The 
SAT-based  technique  outperformed  the  BDD-based  technique  on  most  exam¬ 
ples. 
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3  Parametric  Representation 

Characteristic  functions  and  parametric  representations  are  two  well  known 
methods  of  representing  a  set  of  Boolean  vectors.  A  set  of  Boolean  vectors 
over  the  state  variables  represents  a  set  of  states.  Consider  a  set  S  of  vectors 
over  the  variables  V  =  {vi,v2,  •  ■  •  ,  vn}.  As  described  above,  v  =  (iq,  v2, . . ,  ,  vn) 
denotes  a  particular  vector  or  a  particular  assignments  to  the  variables  in  V.  If 
the  characteristic  function  £(F)  represents  the  set  S  of  vectors,  then 

5  =  {u  G  Sn  I  av)  =  !}•  (1) 

Example  The  following  example  will  be  used  throughout  the  paper.  Let  V\ 
and  V2  be  two  Boolean  state  variables.  Consider  the  set  of  states  {01,10,11}. 
This  set  of  states  has  the  characteristic  function  £(E)  =  V\  V  v2. 

On  the  other  hand,  if  S  is  represented  parametrically  with  a  vector  of  n  func¬ 
tions  /(P)  =  (/i(P),  /2(P),  •  •  •  ,  fn{P))  over  m  parameters  P  =  {pi,p2:  ■  ■  ■  ,Pm}, 
then 

S  =  {v  G  Sn  |  3p  G  Vm[vi  =  fl(p)  A  V2  =  f'2  (p)  A  ...  A  Vn  =  fn(P)}}-  (2) 

Informally,  the  set  of  vectors  in  S  is  given  by  the  range  of  the  vector  of  functions 
(/i(p),  /2(p), . . .  ,  fn(p)),  where  p  ranges  over  all  possible  Boolean  vectors  in  Vm. 
For  the  running  example,  one  possible  parametric  representation  with  three 
parameters  P  =  {p\ ,p2,ps}  is 

(A(-P)  =Pi  A  p2 ,  f2 (P)  =  ->(pi  Ap2)  Vp3). 

Note  that,  in  general,  m  yf  n.  For  the  particular  case  of  symbolic  simulation 
that  we  will  discuss  later,  the  number  of  parameters  will  be  equal  to  the  number 
of  input  variables  to  the  circuit  times  the  number  of  simulation  steps,  which  can 
be  much  larger  than  n. 

A  parametric  representation  can  be  easily  converted  to  a  characteristic  func¬ 
tion  by  using  the  following  equation: 

£(V)  =  3 p[{vi  <->  fi{p))  A  Oa  <->■  f2(p))  A  ...  A  (vn  f„{p))}.  (3) 

In  other  words,  f(v)  is  true  if  the  there  exists  an  assignment  p  to  the  parameters 
such  that  the  parametric  function  fi(p)  evaluates  to  Vi,  f2(p)  evaluates  v2,  and 
so  on.  This  is  what  is  desired,  since  £  is  supposed  to  be  true  exactly  for  the 
vectors  in  the  set.  In  the  case  of  symbolic  simulation,  p  consists  of  the  initial 
state  and  the  inputs  on  the  path  to  the  state  £(u). 

Note  that  the  conversion  to  characteristic  function  involves  Boolean  quan¬ 
tification  over  the  parameters.  If  the  functions  are  represented  by  BDDs,  then 
this  quantification  becomes  harder  as  the  number  of  parameters  m  and  the 
number  of  state  variables  n  increase.  A  similar  quantification  problem  occurs 
in  BDD-based  image  computation  when  a  transition  relation  is  represented  in 
conjunctively  decomposed  form.  In  that  case,  the  variables  to  be  quantified  are 
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the  present  state  and  input  variables  of  the  circuit,  while  the  next  state  vari¬ 
ables  are  not  quantified.  Considerable  effort  has  been  devoted  to  making  image 
computation  faster.  Early  quantification  [BCL91,  TSL+90,  RAP+95,  CCJ+01b, 
CCJ+01a]  is  a  well  known  technique,  in  which  the  quantifiers  are  pushed  inside 
conjunction  as  far  as  possible.  The  order  in  which  conjunctions  are  carried  out 
usually  influences  the  effectiveness  of  early  quantification. 

Consider  a  circuit  C  with  p  inputs  and  n  state  variables.  Suppose  the  cir¬ 
cuit  is  symbolically  simulated  for  m  steps,  by  building  Boolean  expressions  that 
represent  the  values  of  each  of  the  state  bits.  After  the  m-step  simulation,  sup¬ 
pose  each  state  bit  u*  is  given  by  a  Boolean  expression  denoted  by  the  function 
The  variables  Im  appearing  in  each  function  are  the  p  ■  m  inputs 

plus  the  n  initial  values  of  the  state  variables.  Thus,  \Im\  =  m  =  p  ■  m  +  n.  We 
will  denote  the  set  of  input  vectors  over  Im  variables  by  Wm  and  a  particular 
input  vector  by  l.  Powerful  symbolic  simulators  can  simulate  a  large  number 
of  steps,  making  p  •  m  n.  The  set  of  reachable  states  in  m  steps,  as  a  set  of 
state  vectors  in  V  variables,  is  given  by 

S  =  {u  G  Sn  |  3l  G  Wm[vi  =  fi(i)  A  v2  =  f2{t)  A  . . .  A  vn  =  /„(£)]}. 

Thus  symbolic  simulation  builds  a  parametric  representation  of  the  set  of  states 
reachable  in  exactly  m  steps,  where  the  parameters  are  input  variables  Im . 

Usually,  the  number  of  parameters  |/m|  is  very  large.  The  number  of  possible 
valuations  of  these  variables  is  2 17’" I,  while  the  number  of  possible  valuations 
of  the  state  variables  is  2".  Therefore,  many  vectors  in  Im  variables  will  map 
to  the  same  state  vector.  Hence,  it  should  be  possible  to  reduce  the  number  of 
parameters.  We  aim  at  finding  new  functions  /ii(P),  /12(H), . . .  ,  hn(P)  in  new 
parameters  P,  where  |P|  -C  \Im\-  This  is  why  reparameterization  is  useful. 
Obviously,  a  set  of  vectors  in  n  variables  can  be  represented  by  parametric 
functions  of  n  variables.  Hence,  |P|  <  n.  This  process  of  converting  from 
one  parametric  representation  to  another  is  called  reparameterization  [CM90, 
Goe03]. 

For  the  example  above,  another  parametric  representation  in  just  two  pa¬ 
rameters  P  =  {pi,p2}  is  (hi(P)  =  Pi,h2{P)  =  ~^Pi  V p2). 

There  has  been  some  work  on  reparameterization  using  BDDs.  The  most 
complete  description  can  be  found  in  [Jon99,  Goe03].  The  BDD-based  method 
quantifies  the  input  variables  one  at  a  time  from  the  parametric  representation 
Each  quantification  involves  a  parametric  union  of  the  two  sets,  each 
of  which  could  require  a  number  of  BDD  operations,  linear  in  the  number  of 
state  bits.  The  BDD-based  algorithm  has  \Im\  variable  eliminations  in  the  outer 
loop,  and  the  inner  loop  iterates  over  all  state  bits.  Thus,  to  eliminate  all  Im 
variables,  \Im\  ■  n  BDD  operations  are  needed  [Goe03,  Jon99]. 

We  present  a  SAT-based  reparameterization  algorithm.  Our  SAT-based  al¬ 
gorithm  does  this  in  one  pass  over  the  state  bits.  The  outer  loop  iterates  over 
the  state  bits,  and  the  inner  computation  quantifies  all  Jm  variables  in  one  run 
of  the  SAT  checker.  The  details  of  the  algorithm  are  described  in  the  next 
section. 
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4  Reparameterization  using  SAT 

4.1  Background 

The  algorithm  computes  functions  h\(P),  h2(P), . .  .  ,hn(P)  in  parameters  P, 
where  |P|  <  n.  Thus,  the  number  of  parameters  is  at  most  equal  to  the  number 
of  state  variables.  Moreover,  the  functions  hi  will  have  a  specific  structure,  in 
that  the  function  hi  will  only  depend  on  the  variables  {pi,p2,  ■  ■  ■  , Pi}-  This 
will  be  explicitly  denoted  by  hi{pi, ...  ,Pi).  We  will  derive  these  functions  in 
the  order  hi,  /12,  ■  -  ■  ,hn.  Intuitively,  each  new  parameter  pi  allows  for  the  free 
choice  of  the  ith  state  bit  Let  h]  (pi , . . .  ,Pi-i)  denote  the  Boolean  condition 
under  which  the  state  bit  w,  is  forced  to  take  value  1,  and  let  h®(p\,. . .  ,Pi-i) 
denote  the  Boolean  condition  under  which  the  state  bit  Vi  is  forced  to  take  value 
0,  and  h^(pi, . . .  ,Pi-i)  denote  the  Boolean  condition  under  which  zy  is  free  to 
choose  a  value  (is  not  forced  to  either  0  or  1). 

For  the  set  {01, 10, 11}  in  the  running  example,  suppose  we  let  the  first  bit 
be  represented  by  free  parameter  p\.  If  the  first  bit  is  0,  then  the  second  bit  is 
forced  to  be  1  in  the  set.  Thus,  the  Boolean  condition  under  which  zq  is  forced 
to  1  is  h\{pi)  =  -*pi.  Moreover,  if  the  first  bit  is  1,  then  the  second  bit  is  free 
to  be  either  0  or  1.  Thus,  h^ipi)  =  Pi-  Note  that  h^ipi)  =  0,  since  the  second 
bit  is  not  forced  to  0  in  any  condition. 

The  following  decomposition  of  hi  was  introduced  in  [CM90,  Goe03]: 

hi{p\, ...  ,Pi)  =  h\{pi,...  ,pt-i)  V(ft  A/i-(pi,...  ,Pi-i)).  (4) 

Intuitively,  Equation  4  is  interpreted  as  follows.  The  value  of  bit  Vi  is  1  precisely 
under  the  condition  h\,  hence  the  first  term  in  the  equation.  If  the  parameters 
Pi  to  pi- 1  do  not  force  the  bit  Vi  to  be  1,  then  the  bit  is  given  by  the  free 
parameter  pi  under  the  free  choice  condition  h °. 

The  three  conditions  h®,  h\  and  are  mutually  exclusive  and  complete,  thus 

K  =  ~^(h\  V  h^)  =  ~>h\  A  (5) 

Continuing  our  example,  we  get  /i2(pi,P2)  =  -'Pi  V  (p2  Api),  which  is  equivalent 
to  the  smaller  parametric  representation  -<pi  V  P2  we  presented  in  the  previous 
section.  It  should  be  evident  that  /i°,  h\,  and  h\  depend  only  on  the  parameters 
Pi  to  pi- 1.  Assigning  some  specific  value  to  a  bit  restricts  the  set  of  choices  for 
the  following  bits.  In  our  example,  choosing  iq  =  0  restricts  the  value  of  the 
bit  i>2  to  1.  In  this  special  form  of  a  parametric  representation,  the  parametric 
function  hi  is  restricted  only  by  the  choices  made  for  the  earlier  bits.  Thus,  the 
critical  part  of  computing  hi  is  computing  the  three  conditions  h\ ,  h °  and  h\, 
which  we  describe  now. 

4.2  Computing  h\  and  h\ 

Let  us  recall  the  meaning  of  h}:  It  denotes  the  Boolean  condition  in  variables 
{pi, . . .  ,Pi- 1}  under  which  the  zth  bit  zq  is  forced  to  take  the  value  1.  In  the 


given  representation  /(/m),  bit  v,  is  constrained  by  other  bits  in  what  values  it 
can  take.  Initially,  these  constraints  are  given  by  the  common  variables  Im.  We 
want  to  re-express  these  constraints  in  P  variables.  Let  p  =  (pi,p2,  ■  ■  •  , Pi-i)  be 
a  specific  assignment  which  makes  the  Boolean  condition  h\ (p1; . . .  ,Pi-i)  true. 
Then  all  input  vectors  l  €  Wm,  for  which  the  functions  fi, ■  ■  ■  ,  f%~i  evaluate 
to  the  same  value  as  hi, . . .  ,  hi- 1,  are  said  to  be  confirming  to  the  assignment 
(pi,P2,  ■  ■  ■  ,Pi- 1).  In  essence,  the  evaluation  of  the  new  parametric  functions  and 
the  old  parametric  functions  is  the  same  for  these  input  vectors.  The  restriction 
function  Pi(pi,  ■  ■  ■  ,Pi-\,Im)  is  used  to  find  this  set  of  confirming  inputs.  The 
function  pi  restricts  the  set  of  input  vectors  Wm  to  only  those  that  conform 
with  the  given  assignment  to  the  parameters.  Formally,  it  can  be  written  as 

i—l 

pi(pi,...  , Pi-i, Im)  =  f\  hj{pi,...  ,Pj)  =  (6) 

i= i 

Note  that  pi  =  1.  Now  the  condition  h\  can  be  easily  expressed  as  follows: 
We  want  a  Boolean  condition  in  {pi, . . .  ,pi- 1}  variables  under  which  Vi  is  forced 
to  take  the  value  1.  So  if  an  assignment  (pi,p2,  ■  ■  ■  ,Pi- i)  makes  h\  true,  then 
that  means  that  for  all  input  vectors  l  that  conform  with  this  assignment,  the 
function  fi(l)  evaluates  to  1.  Hence, 

hl(p1,...,pi-1)=VIm.(pi(p1,...  ,pl-1,Im)^MIm)  =  !)•  (7) 

Analogously,  /i°  can  be  expressed  as 

h°i(p1,...,pi-1)=VIm.(pi(p1,...  , pi-i,  Im)  =>  /i(/m)  =  0) .  (8) 

Equation  5  can  be  used  to  compute  h^,  given  both  h\  and  hf.  Thus  hi  can 
be  easily  computed.  Note  that  hi  =  pi,  unless  the  bit  Vi  is  always  1  or  0,  in 
which  case  hi  =  1  or  hi  =  0.  This  follows  automatically  from  pi  =  1. 

Thus,  Equations  4  to  8  give  us  the  following  high  level  reparameterization 
algorithm,  that  we  call  OrderedReparam. 

The  following  theorem  states  that  the  algorithm  is  correct.  It  states  that 
the  set  of  state  vectors  y  given  by  the  new  parametric  representation  is  exactly 
the  same  as  that  given  by  the  original  set  of  state  vectors  X. 

Theorem  1  Suppose  beginning  with  the  parametric  representation  X  =  {v  £ 
S  |  3l  £  Wm.v  =  we  obtain  y  =  {z;  €  S  \  3p  £  V.v  =  h(p)}  by  following 

the  algorithm  OrderedReparam.  Then  X  =  y. 

We  prove  this  theorem  in  section  8. 

Computing  h\  and  h®  from  equations  7  and  8  involves  universally  quantifying 
a  large  number  of  Im  variables.  This  is  especially  expensive  with  a  BDD- 
based  representation.  Moreover,  representing  parametric  functions  with  BDDs 
becomes  very  expensive  as  the  number  of  simulation  steps  becomes  larger  as  the 
number  of  variables  \Im\  increases.  BDDs  can  blow  up  due  to  variable  ordering 
problems,  and  the  size  of  BDDs  can  become  exponential  in  |Im|.  However,  if  the 
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//  Input:  Parametric  Representation  /(/m)  =  (/i(/m),  /2(/m), . . .  ,  /„(/m)). 
/ /  Output:  Parametric  Representation  h(P)  =  ( h\(P ),  ft2(P),  ■  •  •  ,  hn(P)). 
ORDEREDREPARAM (/(/"*)  =  (/l(Im),  /2(/m),  ■  •  ■  ,  /n(/m)) 

1  for  i  =  1  to  n 

2  ft  <-  1 

3  for  j  =  1  to  I  —  1 

4  ft  <-  ft  A  (, hj  =  fj) 

5  endfor 

6  ft1  <-  V/m.(p*  =►  /,  =  1) 

7  ft°  <-  V/m.(p*  =►  /,  =  0) 

8  ft?  -  -(ft,1  V  ft°) 

9  ft*  <—  ft*1  V  (ft  A  ft?) 

10  endfor 

11  return  (fti(P),  ft2(P), . . .  ,  ft„(P )) 

Figure  2:  High  Level  Description  of  the  Reparameterization  Algorithm 


parametric  functions  are  represented  by  Boolean  expressions,  the  size  of  each 
expression  is  bounded  by  the  circuit  size  times  the  number  of  simulation  steps. 
Therefore,  symbolic  simulators  that  use  non-canonical  Boolean  expressions  can 
go  much  deeper.  Thus,  we  seek  to  compute  ft;  when  the  functions  are  given  as 
Boolean  expressions. 

In  a  previous  paper  [CCK03],  we  reported  an  efficient  procedure  to  quantify 
existentially  a  large  number  of  variables  from  a  Boolean  formula.  The  procedure 
essentially  uses  powerful  SAT  checkers  like  Chaff  to  enumerate  cubes  (partial 
assignments)  given  in  terms  of  the  variables  that  are  not  to  be  quantified  and 
stores  these  cubes  in  an  efficient  data  structure.  We  used  the  procedure  to  com¬ 
pute  successive  images  of  a  set  of  states  to  get  the  set  of  reachable  states.  The 
procedure  assumes  that  the  formula  is  given  in  conjunctive  normal  form  (CNF). 
The  procedure  quantifies  a  subset  of  the  variables  and  generates  a  disjunctive 
normal  form  (DNF)  clausal  representation  in  terms  of  the  remaining  variables. 
It  is  worthwhile  to  note  that  the  complexity  of  the  procedure  is  mostly  related 
to  the  number  of  variables  not  quantified  and  not  to  the  number  of  variables  to 
be  quantified.  If  the  formula  is  not  given  in  CNF,  intermediate  variables  can  be 
used  to  convert  it  to  CNF.  In  essence,  the  variables  to  be  quantified  are  treated 
in  the  same  way  as  the  intermediate  variables. 

We  intend  to  use  the  same  procedure  to  compute  hf  (where  a  is  either  1  or 
0).  However,  note  that  we  need  to  universally  quantify  Im  variables,  while  the 
procedure  does  existential  quantification.  So  we  re-express  hf  as 

ftf(pr . ft-0  =  VIm.ft(ft,...  ,ft-r,/m)  ->/*(/m)  =  a  (9) 

=  -3/m.-(ft(ft,...  ,ft_1,/m)^/*(/m)  =  a)  (10) 

=  -3rn.ft(p1,...,ft_1,rn)A/i(rn)^a  (11) 
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Thus,  the  existential  quantification  can  be  carried  out  by  our  SAT-based  pro¬ 
cedure  to  compute  ~^hf.  The  formula  Pi(pi, . . .  ,Pi-i,  Im)  A  ^  a  is  given 

to  the  SAT  checker  in  CNF,  which  is  done  by  introducing  intermediate  vari¬ 
ables.  The  large  number  of  Im  variables  poses  no  problem,  as  they  are  treated 
just  like  intermediate  variables  by  our  SAT-based  enumeration  procedure.  The 
procedure  computes  —>hf  in  disjunctive  normal  form  (DNF)  over  {pi, . . .  ,p%— 1} 
variables. 

After  computing  hj  and  h®  (thus  in  CNF),  hj  is  given  by  ->h\  A  ~<hj.  This 
can  be  converted  to  CNF,  if  required  for  the  SAT  checker,  by  again  introducing 
intermediate  variables.  This  allows  us  to  derive  hi  using  Equation  4.  It  appears 
that  for  computing  each  hi,  two  SAT-based  enumerations  are  required,  hence  a 
total  of  2 n  SAT-based  enumerations.  In  the  next  section,  we  show  that  there  are 
a  number  of  optimizations.  First,  we  show  that  a  single  SAT-based  enumeration 
can  be  used  to  compute  both  -<  hj  and  -ihj.  Moreover,  we  show  that  successive 
SAT  runs  are  similar  to  earlier  runs  and  how  to  use  this  similarity  to  improve 
the  performance  of  the  SAT  checker. 

4.3  Computing  h®  and  hj  in  a  single  SAT  run 

While  enumerating  cubes  in  variables  {pi , . . .  ,Pi_i}  for  computing  hj  and  hj, 
we  note  that  the  SAT  formulas  are  very  similar  to  each  other.  In  fact,  the 
only  difference  is  whether  fi(Im)  equals  0  or  1.  In  order  to  merge  these  two 
computations,  we  ask  the  SAT-based  enumeration  procedure  to  enumerate  cubes 
in  {pi, . . .  ,pi_i}  variables  for  the  following  formula: 

Pi{pi,...  ,  Pi-i,  Im)  (12) 

For  each  solution  enumerated  (in  pi  to  Pi-i  and  Im),  we  check  the  value  of 
fi{Im).  We  do  this  check  by  just  evaluating  fi{Im)  using  the  assignment  to 
the  Im  variables  computed  by  the  SAT  checker.  Note  that  we  have  to  do  this 
evaluation  a  large  number  of  times,  hence  it  should  be  made  as  fast  as  possible. 
Since  this  is  just  a  function  evaluation,  techniques  such  as  compiled  simulation 
can  be  used  to  do  this  much  faster  than  what  we  do  at  present.  Another  option  is 
to  use  the  SAT  checker  itself  to  do  this  evaluation,  rather  than  using  a  separate 
function  evaluator.  This  can  be  done  as  follows:  Instead  of  asking  SAT  to 
enumerate  the  formula  Pi(pi,  . . .  ,pi_i,/m),  we  ask  it  to  enumerate  on 

Here,  (3  is  a  new  intermediate  variable.  This  does  not  place  any  constraints 
on  the  solution  space.  However,  since  the  SAT  checker  assigns  values  to  all 
variables,  the  value  it  assigns  to  j3  is  the  evaluation  of  the  function  fi(Im).  It 
appears  that  we  are  unnecessarily  adding  CNF  clauses  to  the  SAT  instance. 
However,  as  we  will  see  in  the  next  subsection,  these  additional  clauses  can  be 
used  when  doing  SAT-based  enumeration  for  computing  hf+1. 

If  evaluates  to  0,  then  we  know  that  the  cube  found  by  the  SAT 

checker  cannot  belong  to  hj.  This  is  because  we  found  at  least  one  consistent 
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assignment  to  Im  variables  that  leads  to  the  value  0  for  /i(/m),  hence  bit  i  is  not 
forced  to  1  for  all  consistent  assignments  to  Im .  Thus,  the  cube  in  {pi, . . .  ,pi-\} 
is  added  to  ->h}.  Similarly,  if  evaluates  to  1,  then  the  cube  is  added  to 

Thus,  both  -i h®  and  ->hj  are  computed  in  a  single  SAT  run,  and  then  /i° 
is  computed  as  given  in  Equation  5. 

4.4  Incremental  SAT 

The  optimized  SAT  formula  for  computing  hf,a£  {0, 1}  (Equation  12)  is  very 
similar  to  the  formula  given  to  the  SAT  checker  for  computing  hi- Since 
Pi  =  A}=i(A?  =  fj)t  the  following  recurrence  is  evident: 

Pi(pi,...  ,pi-1,Im)  =  pi-\(pi, . . .  ,  Pi-2,  Im)  A 

(hi-^pu...  ,ft_1)  =  /i_1(r))  (14) 

Thus,  an  incremental  SAT  checker  can  be  used,  provided  we  delete  the  clauses 
that  were  added  as  blocking  clauses  and  the  conflict  clauses  inferred  from  them 
while  enumerating  hf_x.  An  incremental  SAT  checker  keeps  all  the  conflict 
clauses  learned  while  enumerating  solutions  to  pi- 1.  This  is  correct  because  of 
the  recurrence  above. 

We  have  implemented  an  incremental  SAT  checker  on  top  of  zChaff  along 
with  the  cube  enumeration.  This  SAT  checker  allows  us  to  remove  the  blocking 
clauses  added  in  the  previous  SAT  run.  The  advantage  of  incremental  SAT 
checking  is  that  all  the  learning  done  while  computing  pi-\  comes  for  free  when 
checking  pi.  Only  the  clauses  corresponding  to  hi- 1  =  fi-\  need  to  be  added, 
and  only  the  blocking  clauses  need  to  be  deleted. 

Suppose  the  SAT  checker  is  used  to  evaluate  fi(Im)  when  enumerating  on 
ti  (Equation  13),  as  described  in  the  previous  section  by  adding  clauses  cor¬ 
responding  to  fi{Im)  =  /3.  In  the  next  iteration  we  have  to  add  an  equality 
between  hi  and  ft  to  get  ti+ 1,  so  we  just  add  (/3  =  hi(pi, . . .  ,Pi ))  A  (fi+ 1  =  7) 
to  the  SAT  formula  U  to  get  the  SAT  formula  t^+i.  Here,  7  is  again  a  new 
intermediate  variable.  Thus  the  clauses  corresponding  to  fi{Im)  =  (3  are  used 
in  the  next  iteration. 


5  Safety  Properties  and  Counterexamples 

So  far,  we  have  described  how  to  do  SAT-based  symbolic  simulation  when  the 
circuit  is  given  in  functional  form,  and  the  initial  state  constraint  is  given  in 
parametric  form.  Most  circuits  are  in  functional  form,  however,  the  initial  state 
constraint  is  frequently  given  as  a  predicate  on  the  initial  state  variables.  Safety 
properties  are  also  given  as  predicates.  We  now  describe  how  to  handle  the  initial 
state  and  the  safety  property  predicates  and  how  to  generate  counterexamples. 
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5.1  Safety  Property  Checking 

Symbolic  simulation  with  reparameterization  works  as  follows:  Beginning  with 
the  initial  states,  the  circuit  is  simulated  up  to  a  certain  depth,  say  k ,  when  the 
functions  become  too  large.  At  this  point,  reparameterization  is  applied,  and 
a  smaller  parametric  representation  hk{Pk )  =  (hk(Pk),  hk(Pk), . . .  ,hk(Pk)) 
is  computed  representing  the  set  of  states  reached  in  exactly  k  steps.  The 
superscript  here  just  emphasizes  the  fact  that  this  parametric  representation  is 
for  step  k.  After  that  point,  symbolic  simulation  continues  using  hk(Pk)  as  the 
set  of  initial  states  in  parametric  form.  This  is  continued  until  a  bug  is  found 
or  the  time  limit  is  exceeded.  In  this  section,  we  describe  the  method  used  for 
finding  violations  of  safety  properties. 

Let  us  assume  that  Sq(V)  is  the  initial  state  predicate  and  Bad(V )  is  the 
predicate  describing  the  set  of  states  that  violate  the  safety  property  of  in¬ 
terest.  For  the  initial  states,  we  generate  a  parametric  representation  from 
the  predicate  So(V)  using  the  algorithm  in  [Jon99].  The  initial  state  predi¬ 
cates  are  usually  small,  hence  this  is  not  very  expensive.  The  parametric  vari¬ 
ables  for  initial  state  will  be  part  of  the  Im  variables,  as  described  earlier.  If 
(fti(P),  h,2(P),  •  •  •  ,  hn(P))  is  the  parametric  representation  at  some  step  of  the 
simulation,  then  the  SAT  checker  is  asked  to  provide  an  assignment  to  the  pa¬ 
rameters  such  that  the  state  vector  satisfies  the  Bad(V )  predicate.  Formally, 
the  SAT  checker  is  asked  to  find  a  satisfying  assignment  for 

V\  =  hi(P)  A»2  =  ft 2 {P)  A  ...  A  vn  =  hn(P)  A  Bad(V)  (15) 

If  the  SAT  checker  generates  a  satisfying  assignment,  then  we  know  that  the 
property  fails,  and  a  counterexample  needs  to  be  generated. 

5.2  Counterexample  Generation 

For  our  symbolic  simulator,  the  counterexample  generation  is  nontrivial,  since 
we  do  not  keep  the  whole  simulation.  Periodically,  we  reparameterize  the  repre¬ 
sentation  and  hence  lose  the  information  about  input  variables  up  to  that  point. 
In  order  to  generate  counterexamples,  we  need  to  store  all  intermediate  para¬ 
metric  representations  and  the  simulated  functions  that  these  representations 
are  derived  from.  This  storage  can  be  done  on  a  disk,  offline.  We  pick  up  one 
state  that  violates  the  safety  property  and  ask  the  SAT  checker  to  provide  an 
assignment  to  the  input  variables  that  lead  from  the  most  recent  parameterized 
representation  to  the  bug.  Since  the  simulated  functions  are  stored  on  the  disk, 
they  can  be  directly  used  in  the  SAT  checker,  rather  than  unrolling  the  circuit 
again.  Once  we  get  a  state  at  the  step  when  the  last  reparameterization  was 
done,  we  choose  one  state  from  that  step  and  repeat  the  whole  process  again. 
This  is  similar  to  the  strategy  that  standard  BDD-based  model  checkers  use. 
They  begin  with  one  bad  state,  and  then  keep  on  intersecting  pre-images  with 
the  frontier  state  sets,  until  they  get  to  an  initial  state. 
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6  Experimental  Results 

We  report  our  experimental  results  on  a  1.3  GHz  AMD  Athlon  processor  ma¬ 
chine  with  1  GB  of  main  memory  running  RedHat  Linux  7.1.  We  set  a  memory 
limit  of  0.7GB.  We  report  experimental  results  (table  1)  on  large  industrial  cir¬ 
cuits.  These  circuits  are  taken  from  various  processor  designs.  Both  the  circuits 
were  used  in  [CCS+02],  where  SAT-based  abstraction-refinement  was  done  for 
verification  of  safety  properties.  All  D  series  circuits  have  a  counterexample, 
while  both  properties  hold  on  the  IU  circuit.  IUpl  and  IUp2  are  the  same 
circuit,  but  checked  with  different  properties. 

We  compare  our  algorithm  against  a  BMC  algorithm  implemented  in  the 
NuSMV  model  checker  with  the  zChaff  SAT  checker  and  the  abstraction  refine¬ 
ment  results  in  [CCS+02].  BMC  keeps  on  unwinding  the  transition  relation, 
while  we  periodically  reduce  the  size  of  representation  with  reparameterization. 
Therefore,  comparing  against  BMC  is  fair.  Our  algorithm  is  not  yet  complete 
for  safety  properties,  in  that  it  cannot  prove  properties  true  without  resorting 
to  abstraction-refinement.  However,  as  we  will  describe  later,  we  can  combine 
abstraction-refinement  with  our  symbolic  simulator  to  make  the  property  check¬ 
ing  complete. 


ckt 

#  regs 

#  Pis 

bug 

len. 

Run  time 

max 

len. 

max 

time 

#  reps. 

BMC 

[CCS  +  02] 

sym 

D2+ 

94 

11 

15 

18 

79 

32 

221 

1000 

8 

D5+ 

343 

7 

32 

15 

38.2 

17 

127 

1000 

13 

D24 

223 

47 

10 

5 

8 

7 

543 

1000 

9 

D6 

161 

16 

20 

289 

833 

145 

64 

1000 

5 

D18 

498 

247 

28 

6834 

9955 

1698 

56 

3000 

7 

D20 

532 

30 

14 

2349 

1947 

574 

89 

3000 

9 

IUpl 

4494 

361 

true 

3000* 

3350 

- 

183 

3000 

45 

IUp2 

4494 

361 

true 

3000* 

712 

- 

183 

3000 

45 

Table  1:  Experimental  Results  on  Large  Industrial  Benchmarks.  Times  reported 
are  in  seconds.  BMC  was  able  to  complete  just  39  steps  and  then  ran  out  of 
memory  for  IUpl  and  IUp2. 


In  Table  1,  the  first  column  is  the  name  of  the  circuit.  In  the  regs” 
column,  we  report  the  number  of  latches  in  the  circuit,  while  in  the  third  column, 
we  record  the  number  of  inputs  of  the  circuit.  In  the  column  marked  “bug  len.”, 
we  denote  the  length  of  the  shortest  counterexample  to  the  safety  property,  if  the 
property  is  false.  The  “bmc  time”  column  records  the  amount  of  time  the  BMC 
algorithm  required  for  finding  the  bug,  the  “fmcad  time”  records  the  amount  of 
time  the  abstraction-refinement  algorithm  took  to  find  the  bug  or  to  prove  the 
property,  and  the  column  marked  “sym  time”  denotes  the  amount  of  time  our 
algorithm  takes  to  simulate  up  to  the  bug  and  find  the  bug.  Since  IUpl  and 
IUp2  did  not  have  any  bug,  we  did  not  record  the  time  for  these  two  circuits  in 
the  “sym  bug  time”  column. 
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To  show  that  our  algorithm  can  go  deeper  than  BMC,  we  continue  simulating 
these  circuits  past  the  bug  and  record  the  maximum  length  we  can  reach  within 
the  time  limit.  The  “max  len.”  column  denotes  the  maximum  length  that  we 
simulate  the  circuit  for  in  the  time  given  in  the  column  “  max  time”.  The  last 
column  marked  reparams”  records  the  number  of  reparameterizations  done 
for  simulating  up  to  the  maximum  length. 

We  would  like  to  point  out  that  in  [CCS+02],  a  spurious  counterexample  of 
length  72  was  found,  which  could  not  even  be  simulated  with  SAT  on  a  machine 
with  3  GB  of  memory.  However,  we  could  simulate  it  for  72  steps  in  987  seconds 
on  the  smaller  machine  with  our  algorithm. 

It  is  evident  from  the  results  that  our  algorithm  is  more  powerful  than  the 
plain  BMC  algorithm.  We  are  able  to  go  much  deeper  and  can  do  it  in  shorter 
amount  of  time.  In  fact,  we  were  even  able  to  do  better  than  the  results  ob¬ 
tained  with  abstraction.  It  should  be  noted  that  multiple  refinement  steps  are 
required  in  abstraction-refinement,  and  in  each  step,  a  spurious  counterexam¬ 
ple  is  simulated  using  SAT.  Therefore,  abstraction-refinement  can  be  slower  in 
many  cases. 

The  BDD-based  reachability  program  of  [Goe03]  does  property  checking  and 
can  also  do  fixed  points.  However,  it  was  able  to  find  bugs  for  D2  and  D5  circuits 
only.  For  the  rest  of  the  circuits,  it  either  exceeded  the  time  or  memory  limit. 


7  Extensions 

7.1  Proving  Safety  Properties 

For  proving  that  a  safety  property  is  true,  the  BDD-based  symbolic  simulators 
perform  a  fixed-point  detection  using  efficient  set  union  algorithms.  Imple¬ 
menting  set  union  in  our  framework  is  feasible  as  described  below,  and  as  the 
representation  after  reparameterization  is  canonical  for  a  given  variable  order¬ 
ing,  the  fixed  point  could  be  detected  by  comparing  the  last  two  parametric 
representations . 

7.1.1  Set  Union 

Suppose  two  sets  of  states  S±  and  S2  are  given  using  the  parametric  representa¬ 
tions  h(P )  =  Oi  (P),...  ,  hn(P))  and  g(Q)  =  (gi{Q),...  ,gn(Q)),  respectively. 
Suppose  P  D  Q  =  0,  i.e.,  the  representations  do  not  share  parameters.  If  that 
is  not  the  case,  the  parameters  can  just  be  renamed  to  make  them  disjoint.  We 
define  l+l  as  an  operator  for  two  parametric  representations  as  follows: 

h{P)  l±l  g(Q)  =  ( z?hi(P )  :  gi(Q),  z?h2(P)  :  g2(Q),...  ,zlhn{P)  :  gn(Q))- 

Here,  the  expression  z7hi(P)  :  gi(Q)  is  just  a  short  form  for  (z  A  hi(P ))  V  (-> z  A 
gi(Q))  and  z  is  a  new  parameter.  The  claim  below  that  h(P)  l±l  g(Q)  represents 
S 1  U  S2  is  easy  to  prove. 
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Theorem  2  If  Si  and  S2  are  given  by  parametric  representations  h(P)  and 
g(Q),  then  Si  U  S2  is  given  by  the  parametric  representation  h{P)  W  g(Q). 

This  set  union  operation  can  be  generalized  to  take  the  union  of  n  different 
parametric  representations  by  using  \log2n\  new  parameters. 

The  number  of  parameters  after  set  union  of  two  sets  is  |P|  +  |Q|+1.  This  rep¬ 
resentation  can  be  reparameterized  by  our  SAT-based  algorithm  to  get  a  para¬ 
metric  form  in  n  parameters.  Since  our  algorithm  generates  canonical  forms,  the 
fixed  point  could  be  detected  by  comparing  the  last  two  representations.  Thus, 
fixed  point  detection  would  require  a  reparameterization  run  after  each  step  of 
simulation.  This  would  nullify  the  performance  gained  by  the  new  algorithm, 
which  benefits  from  performing  the  reparameterization  only  when  the  equations 
become  too  big. 

Hence,  the  fixed  point  detection  algorithm,  while  a  theoretical  possibility, 
should  not  be  used  for  performance  reasons.  The  user  of  Bounded  Model  Check¬ 
ing  has  the  same  problem:  the  Bounded  Model  Checker  only  guarantees  the 
absence  of  bugs  up  to  the  bound.  As  described  in  the  introduction,  there  are 
several  techniques  to  detect  that  the  property  holds.  Thus,  we  propose  to  use 
SAT-based  symbolic  simulation  as  a  replacement  for  BMC  within  these  frame¬ 
works.  The  symbolic  simulator  is  used  to  disprove  the  property  only.  This  is 
described  in  the  next  sections. 

7.1.2  Invariant  Constraints 

Invariant  statements  are  often  used  to  restrict  the  state  space  for  verification. 
Such  invariants  are  often  called  verification  conditions  [Jon99].  An  invariant 
is  a  predicate  C(V)  on  state  variables  and  the  state  exploration  is  restricted 
to  only  those  states  satisfying  C(V).  The  technique  described  so  far  assumes 
that  the  transition  relation  of  the  system  is  a  conjunction  of  transition  func¬ 
tions  of  individual  state  variables.  It  does  not  allow  an  arbitrary  transition 
relation.  The  following  approach  can  be  used  for  handling  such  invariant  con¬ 
straints.  We  first  need  to  convert  the  invariant  C(V)  in  a  parametric  form 
(ci(Q),  C2(Q),  ■  ■  ■  ,cn(Q)),  where  Q  are  parameters.  Assuming  that  the  invari¬ 
ants  are  not  too  complicated,  BDD-based  algorithms  can  be  used  to  get  this 
parametric  form  as  described  in  [CM90]  or  [Jon99].  Let  the  next  state  func¬ 
tion  be  denoted  by  fi(V).  Then,  for  each  state  variable  Uj,  a  constraint  of  the 
form  fi(V)  =  Ci(Q)  is  added  for  every  time  step.  In  the  SAT  formula  used  for 
symbolic  simulation,  each  fi(V)  is  represented  by  an  intermediate  variable.  Let 
vfi  denote  this  variable.  Similarly,  Ci(Q)  is  also  represented  by  another  inter¬ 
mediate  variable  ucj.  Thus,  the  equality  constraint  vfi  =  vci  is  added  to  the 
SAT  formula.  These  equality  constraints  are  added  for  each  state  variable  in 
each  step  of  the  simulation.  The  parameters  Q  are  fresh  variables  for  each  time 
step.  Finally,  when  reparameterization  is  done,  the  Q  parameters  added  for  the 
invariants  are  removed  along  with  the  Im  variables. 

For  the  special  case  of  counterexample  guided  abstraction  refinement,  an 
abstract  counterexample,  which  is  just  an  assignment  to  a  subset  of  the  state 
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variables  at  each  time  step,  needs  to  be  simulated  on  the  concrete  machine.  The 
abstract  counterexample  contains  constraints  in  parameterized  form  that  are  to 
be  applied  to  the  symbolic  simulation. 

7.1.3  SAT-based  Reparameterization  in  the  Abtraction- Refinement 
Framework 

In  the  abstraction-refinement  framework,  it  is  straightforward  to  use  symbolic 
simulation  with  the  SAT-based  reparameterization  algorithm.  In  [MA03],  no 
counterexample  needs  to  be  simulated  on  concrete  machine,  as  only  the  length  of 
the  counterexample  is  of  interest.  In  this  case,  the  reparameterization  algorithm 
is  simply  used  as  replacement  for  BMC  as  described  in  Section  4. 

On  the  other  hand,  in  the  counterexample-guided  abstraction  refinement 
framework,  a  counterexample  sm  =  (so,Si,...  ,sm)  is  used  to  assigns  val¬ 
ues  to  a  subset  of  the  state  variables  at  each  step.  Suppose  that  along  the 
length  of  the  counterexample,  reparameterization  is  invoked  a  total  of  l  times 
at  steps  mi,m2, . . .  ,  mj,  such  that  0  <  m\  <  m2  <  ■■■  <  to.  Let  the  old 
parametric  representation  be  denoted  by  (/{™; ( Jmi ) , . . .  , and  let 
(h™i(Pmi), . . .  ,h^i{Prni))  be  the  newly  computed  parametric  representation 
at  step  m,;,  and  let  Smi  be  the  set  of  states  represented  by  it.  In  order  to 
determine  if  the  counterexample  is  spurious,  we  simulate  the  abstract  coun¬ 
terexample  by  adding  So  as  constraints  to  the  initial  state.  Then  we  proceed  by 
adding  si,S2,...  as  constraints  to  the  symbolic  simulation  as  described  in  Sec¬ 
tion  7.1.2.  These  constraints  are  just  assignments  of  values  to  state  variables, 
and  hence  are  easy  to  add  in  the  symbolic  simulation. 

When  we  reach  the  step  mi ,  the  process  is  repeated  using  smi  as  constraints 
on  the  reparameterized  state.  Also,  at  each  of  the  steps  m*,  we  check  to  see  if 
the  set  of  states  Smi  is  empty  or  not.  This  can  be  done  by  checking  if  the  SAT 
formula 

^  =  Vl  =  /ram<)  A  ■  •  •  C,  =  Vu  =  (16) 

has  any  satisfiable  assignments  or  not.  Here,  sJm.  denotes  the  assignment  to 
the  jth  state  variable  by  the  abstract  counterexample  in  step  number  nii.  If 
Equation  16  is  satisfiable,  then  we  know  that  the  counterexample  can  be  con¬ 
cretized  and  we  proceed  to  build  the  concrete  counterexample  as  described  in 
the  previous  section.  If  not,  we  need  to  extract  refinement  information  from  the 
failed  SAT  instance. 

For  extracting  refinement  information,  we  can  use  the  heuristics  described 
in  [CCS+02].  However,  there  is  one  important  difference:  Equation  16  does 
not  contain  state  variables  for  all  information  steps.  The  state  variables  that 
appear  in  the  formula  are  from  step  to^_i  to  step  to^  only.  However,  as  reported 
in  [CCS+02],  just  looking  at  a  part  of  the  failed  counterexample  (often  just  the 
failure  state)  already  provides  useful  refinement  information.  Future  work  is  to 
evaluate  the  quality  of  the  refinement  information  that  we  get  from  such  SAT 
instances  by  extensive  experimentation. 


17 


7.2  Checking  Liveness  using  Safety  Properties 

Biere  et  al.  [SB03]  propose  to  reduce  a  liveness  property  to  a  safety  property 
as  follows:  Consider  properties  of  the  form  AFp.  The  counterexamples  to  AFp 
properties  are  of  the  form  EG~<p,  i.e.,  an  infinite  path  such  that  all  states  on  the 
path  satisfy  ->p.  For  a  finite  state  system,  such  an  infinite  path  must  look  like 
a  lasso,  i.e.,  a  possibly  empty  sequence  of  states  s o,  Si, . . .  ,si  where  no  state  is 
repeated  concatenated  with  a  loop  si,  s/+i, . . .  ,  sm  =  si.  The  authors  describe 
two  methods  to  translate  AFp  to  a  safety  property.  Each  method  adds  some 
state  variables  to  the  original  system  model.  In  each  method,  a  Boolean  variable 
found  becomes  true  as  soon  as  p  holds  on  any  state.  Another  Boolean  variable 
looped  is  defined  that  indicates  that  a  state  has  already  been  seen  before  in  the 
path,  thus  loop  has  bee  closed.  The  truth  of  the  AFp  property  is  thus  given 
by  the  truth  of  the  AG  (looped  — >  found)  property. 

The  two  methods  differ  in  the  way  the  looped  signal  is  generated.  In  the 
first  method,  a  counter  that  counts  up  to  the  completeness  threshold  (CT)  of 
the  AFp  property  that  is  introduced.  Once  the  counter  has  gone  beyond  the 
CT,  then  looped  is  set  to  true.  The  counter  can  be  very  large,  however.  In 
the  second  method,  a  copy  of  all  state  variables  is  made  and  these  new  state 
variables  nondeterministically  copy  the  value  of  the  real  state  variable  at  some 
step.  Once  a  state  equivalent  to  the  saved  state  is  found,  a  loop  is  detected. 
The  authors  describe  experiments  with  both  methods.  They  also  extend  the 
method  to  handle  general  LTL  properties. 

It  is  easy  to  add  this  feature  to  SAT-based  abstraction-refinement  framework. 
Since  the  translation  is  done  in  the  system  model,  it  can  be  easily  incorporated 
in  our  framework. 

7.3  Effect  of  State  Variable  Ordering 

The  static  ordering  techniques  for  quantification  scheduling  in  BDD-based  image 
computation  place  state  variables  whose  transition  functions  are  closely  related 
next  to  each  other.  I  propose  to  use  the  same  heuristic  for  ordering  the  state 
variables  in  the  SAT-based  reparameterization  algorithm. 

It  is  not  clear  that  the  size  of  the  parametric  functions  is  related  to  the 
size  of  the  transition  functions.  We  measured  the  correlation  between  the  sizes 
of  transition  functions  and  the  sizes  of  parametric  functions,  before  and  after 
reparameterization  for  different  circuits.  For  some  circuits  (IU,  D24,  D6),  a 
very  high  correlation  (>  85%)  was  observed  while  for  other  circuits  (D2,  D5, 
D18),  the  correlation  was  minimal  (<  60%).  This  indicates  that  static  ordering 
based  on  the  size  of  the  transition  function  can  be  useful.  More  work  is  needed 
to  understand  the  relationship  better.  It  should  be  noted  that  the  ordering 
problem  for  parametric  representation  is  not  as  severe  as  it  is  in  quantification 
scheduling.  However,  some  improvements  can  be  achieved  by  better  orderings. 
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8  Correctness  Proof 


We  provide  a  proof  of  Theorem  1  in  this  section.  We  prove  that  the  parametric 
representation  that  we  get  from  the  algorithm  OrderedReparam  is  equivalent 
to  the  original  representation.  As  usual,  v  =  {vi, ...  ,  vn )  G  Sn  denotes  a  partic¬ 
ular  assignment  to  n  variables  V  =  {rq, . . .  ,  vn},  l  G  Wm  denotes  a  particular 
assignment  to  variables  /m,  and  p  =  {pi,...  ,pn)  G  Vn  denotes  a  particular 
assignment  to  variables  P  =  {pi, ...  ,pn}-  We  will  use  Xn  and  yn  to  denote 
subsets  of  Sn.  We  will  often  drop  the  subscripts  from  Sn,Vn,Xn,  and  yn  when 
it  is  clear  that  the  sets  are  constructed  from  n  length  vectors. 

Proof  of  Theorem  1: 

We  will  prove  this  theorem  in  two  parts.  First,  we  prove  that  X  C  y,  and 
then  we  prove  that  y  C  X. 

x  c  y  . 

li  X  =  0,  then  the  relation  obviously  holds.  Otherwise,  let  v  be  an  arbitrary 
element  of  X.  Then  by  definition  of  X  there  exists  an  assignment  l  G  Wm  such 
that  f\{t)  =  iqA. .  .A  fn{t)  =  vn.  In  order  to  show  that  v  G  y,  we  have  to  provide 
an  assignment  p  G  V  such  that  hi(p)  =  fi{l)  =  v\  A  . . .  A  hn{p)  =  fn(Z)  =  vn. 

We  will  prove  this  by  induction  on  n. 

Base  Case:  n=  1 

By  definition  of  pi{t),  it  is  true  that  pi{t)  is  1  for  any  input  vector  Z,  or 
formally  Vi  G  Wm.pi{t)  =  1.  Subsequently,  /i“  =  (Vt  G  Wm./i(i)  =  a),Va  G 
{0, 1}.  Since  h\,h\,  and  h\  are  mutually  exclusive,  only  one  of  them  is  1  and 
the  rest  are  0.  Also  recall  that  /ii(pi)  =  h\  V  p±  ■  hi . 

Now  hyv'  has  to  be  0,  because  there  is  an  input  vector  Z  for  which  /i(i)  =  tq. 
There  are  two  possibilities  left.  Either  kp  =  1  or  hi  =  1.  If  h l* 1  =  1,  then 
h\{p\)  =  V\  for  any  p\.  On  the  other  hand,  if  hi  =  1,  then  h\  (p\ )  =  pi,  so  we 
choose  pi  =  Vi.  Then  hppi)  =  pi  =  Vi- 
Induction  Step:  n  — >  n  +  1 

The  induction  hypothesis  is 

\/v  G  Xn3p  G  Vn-hi{p)  =  vi  A  . . .  A  hn(p)  =  vn. 

Here,  Xn  and  Vn  are  used  to  emphasize  that  v  and  p  are  assignments  to  n 
variables.  We  have  to  prove  that 


Vu  G  Xn+i.3p  G  Vn+i-hi{p)  =  vi  A  . . .  A  hn+i(p)  =  vn+1. 


Let  v  =  (vi,...  ,vn+i)  G  Xn+i.  Then  by  definition  of  Xn+i,  there  exists  an 

i  G  Wm  such  that  /i(t)  =  Vi  A  . . .  A  fn+ i(i)  =  vn+i.  According  to  the  in¬ 
duction  hypothesis,  there  exists  (pi,...  ,pn)  such  that  hi{p{)  =  Vi  A  . . .  A 
hn(pi,P2,  ■  ■  ■  ,Pn)  =  vn.  We  will  extend  this  assignment  by  pn+i  such  that 
hn+i CPi ,  -  -  -  ,Pn+ 1)  =  vn+i.  By  definition,  h\+i,h°n+1  and  hcn+1  depend  only 
on  pi, . . .  ,pn.  So  the  particular  assignment  (pi, . . .  ,pn )  assigns  specific  values 
to  these  three  functions,  and  they  are  mutually  exclusive.  Note  that  we  have 
pn+i(pi, ...  ,pn,t)  =  1  by  definition  of  pn+i  and  by  the  induction  hypothesis. 
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Also  from  the  definition,  h%+1(pi,p2,  ■  ■  ■  ,Pn)  =  1  if  and  only  if  for  all  input 
vectors  satisfying  ,pn,Z)  =  1,  fn+i  evaluates  to  a.  If  there  exists  at 

least  one  input  vector  for  which  p,;  evaluates  to  1  and  fn+i  evaluates  to  ->a, 
then  the  ft“+ 1  =  0. 

As  there  exists  an  I  for  which  both  p»(pi,i>2)  •  •  •  ,Pn,l)  =  1  and  fn+ i(i)  = 
Vn+1  hold,  hZT  cannot  be  1.  Thus,  there  are  two  cases  to  consider.  If 
hv™+- L1  =  1,  then  hn+i(pi, . . .  ,pn+i)  =  vn+1  for  any  pn+1.  On  the  other  hand,  if 
hn+ 1  =  1,  then  hn+i(pi, . .  -pn+i)  =  Pn+i ■  In  that  case,  we  choose  pn+1  =  vn+i. 
Then  hn+1{pn+1)  =  pn+1  =  vn+1. 

Thus  the  vector  p  =  (pi,P2,  ■  ■  ■  ,Pn,Pn+i)  has  the  desired  property  hi(p)  = 
v\  A . . .  A  hn+ 1  ( p )  =  Vn+i .  This  holds  for  p\ , . . .  ,  pn  by  the  induction  hypothesis, 
and  for  pn+ 1  by  the  arguments  above.  So  the  induction  step  is  proved. 

We  provided  an  assignment  p  such  that  h(p )  =  v  for  a  given  v  €  X.  So 
v  €  y,  hence  A’C}’. 

ycx. 

If  y  =  0,  then  the  relation  obviously  holds.  Otherwise,  suppose  v  £  y.  Then 
by  definition  of  y,  there  exists  p  €  V  such  that  h\(p)  =  V\  A  . . .  A  hn{p)  =  vn. 
In  order  to  show  that  v  £  A,  we  have  to  provide  an  assignment  l  such  that 
fi(t)  =  h\(p)  =  i>i  A  . . .  A  fn(j)  =  hn(p)  =  vn.  However,  instead  of  coming  up 
with  just  one  input  vector  1,  we  will  come  up  with  the  largest  set  Jm  C  Wm  of 
input  vectors  such  that  any  input  vector  in  Jrn  will  have  the  desired  property. 
Formally,  we  will  prove  the  following  stronger  claim  by  induction: 


Vzi  e  y.3jm  c  wn 


Jm  ±  0  A  jm  =  J  l  £  Wm |  f\  fi(t)  =  VX 


i—l 


Thus,  we  provide  a  non  empty  set  of  input  vectors  Jm  C  Wm  such  that 
for  every  input  vector  in  Jm ,  the  function  vector  f(l)  will  evaluate  to  the  state 
vector  v,  and  for  every  input  vector  that  is  not  in  Jm ,  at  least  one  function 
fi(t)  will  not  match  the  value  of  the  bit  i>,;.  Mathematically,  we  want  Jm  to 
satisfy  the  following  three  conditions: 

(I) 

(II)  \/Z£jm.f(Z)  =  v 

(III)  \/Z?Jm.f(Z)^v 

Any  Z  from  Jm  will  suffice  for  our  purpose. 

We  prove  the  claim  by  induction  on  n. 

Base  Case:  n  =  1 

By  definition,  we  have  Vi  £  Wm.pi(Z)  =  1.  Subsequently,  we  conclude 
hf  =  (Vi  £  Wm.fi(Z)  =  a),  a  £  {0,1}.  Since  ft},  ft)1  and  ft}  are  mutually 
exclusive,  only  one  of  them  is  1  and  the  rest  are  0.  We  have  two  cases  depending 
on  whether  V\  =  0  or  V\  =  1. 

Case  1:  v\  =  1. 
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Since  v\  =  h\{pi)  =  h\  V  p\  ■  h\,  we  have  two  sub  cases  to  consider:  If 
h\  =  1,  then  Vi  €  Wm./i(i)  =  1,  as  p\  =  1.  In  this  case,  Jm  =  W”1  and 
Jm  is  obviously  non  empty.  Moreover,  conditions  (II)  and  (III)  are  also  clearly 
satisfied  by  Jm. 

On  the  other  hand,  if  pi  =  1  and  h'\  =  1,  then  this  implies  that  h®  =  0.  We 
choose  Jm  =  {I  €  Wm  |  /i(i)  =  1}  to  satisfy  condition  (II).  Jm  is  non  empty, 
since  there  exist  at  least  one  l  such  that  /i(i)  =  1,  due  to  h\  =  0.  Moreover, 
fi(l)  ^  1  for  any  l  ^  Jrn  by  definition.  Thus  Jrn  also  satisfies  condition  (III). 

Case  2:  v\  =  0. 

Since  Vi  =  h\{pi)  =  h\\/  p\-  h\,  we  have  h\  =  0  and  either  h\  =  0  or  pi  =  0. 
So  there  are  two  sub  cases  to  consider:  If  hi  —  0,  then  h\  =  1.  As  p\  =  1,  this 
implies  that  Vi  €  Wm.fi(l)  =  0.  In  this  case,  Jrn  =  Wm  and  Jm  is  obviously 
non  empty.  Moreover,  conditions  (II)  and  (III)  are  also  clearly  satisfied  by  Jm. 

On  the  other  hand,  if  hi  =  1,  this  implies  that  pi  =  0,  we  choose  Jm  =  {I  £ 
Wm  |  fi(l)  =  0}  to  satisfy  condition  (II).  Jm  is  non  empty,  since  there  exist 
at  least  one  l  such  that  fi(t)  =  0,  due  to  h\  =  0.  Moreover,  fi(l)  ^  0  for  any 
l  ^  Jm  by  definition.  Thus  Jrn  also  satisfies  condition  (III). 

Thus  in  both  cases,  we  have  found  a  Jm  with  the  desired  properties. 
Induction  Step  :  n  — >  n  +  1 

The  induction  hypothesis  is  that 


Vu  g  yn3jm  c  wm. 


Jm  £  0  A  Jm  =  \  l  G  Wm I  f\  fi(i)  =  Vi 


i— 1 


We  need  to  prove  this  for  n  +  1,  i.e., 


Vv  g  yn+13/cm  c  wm 


n+1 


KT  ±  0  MCm  =  her  |  f\  m  =  Vi 


i— 1 


For  clarity,  we  use  Jm  for  the  induction  hypothesis  and  ICm  for  the  claim. 
Suppose  we  are  given  v  =  (vi,V2,  ■  ■  ■  ,vn+i)  G  yn+i-  By  induction  hypothesis, 
there  exists  a  non  empty  Jm  such  that  Vi  G  =  v\  A. .  .A/n(i)  =  vn.  We 

provide  a  non  empty  K.m  C  Jm  as  shown  below  such  that  Vi  G  /Cm./n+i(i)  = 
vn+\  and  Vi  G  Jm  \/Cm./„+i(i)  ^  vn+\.  Then,  since  K.m  C  Jm ,  we  already 
have  Vi  G  /Cm./i(i)  =  v\  A  . . .  A  /„( l)  =  vn.  So  ICm  satisfies  condition  (II).  If 
i  ^  KLm,  then  there  are  two  cases  depending  on  whether  t  is  in  Jm  or  not.  If 
i  is  in  Jm ,  then  the  function  fn+i  disagrees  with  vn+\.  Otherwise,  induction 
hypothesis  gives  us  that  at  least  one  of  fi(l )  disagrees  with  u,;  for  i  <  n.  Thus 
K,m  satisfies  condition  (III)  as  well. 

Now  let  us  find  such  a  /Cm. 

Since  we  have  v  G  yn+ i,  there  is  an  assignment  p  =  (pi,P2,  ■  ■  ■  ,Pn+ 1)  such 
that  hi(p)  =  V\  A  . . .  hn+i(p)  =  vn+%.  Note  that  for  all  input  vectors  I  G  Jm, 
pn+i(pi,P2,  ■  ■  ■  , Pn ,  f)  =  1  by  definition  of  pn+i  and  by  induction  hypothesis. 
Moreover,  Vi  ^  Jm-Pn+i(Pi,P2,  ■  ■  ■  ,PnJ)  =  0. 
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Before  commencing  our  inductive  proof,  we  need  to  establish  the  following: 


h 


a. 

n+1 


Thus,  ft 


a. 

n+1 


Vt  €  Wm.  {pn+ 1  fn+ 1(0  —  «) 

(W€r.(Pn+1^/n+1(+a))A 

(V^r.+^/»+1(+a)) 

(v^r.(0  4/„+1(+tt)) 

(Vier.(/n+1(+«))Ai 


Since  ft*  , ,,  ft„+1  and  ft®  ,  x  are  mutually  exclusive,  only  one  of  them  is  1  and 
the  rest  are  0.  We  have  two  cases  depending  on  whether  i>„+i  =  0  or  yn+i  =  1. 

Case  1:  vn+\  =  1. 

Since  vn+\  =  hn+i(p)  =  ft*+1Vpn+i-ft®+1,  we  have  two  sub  cases  to  consider. 
If  ft+i  =  1,  then  \/Z  €  Jm.fn+  i(t)  =  1,  as  pn+i  =  1-  In  this  case,  K.m  =  Jm 
and  ICm  is  non  empty  since  Jm  is.  /Cm  also  satisfies  condition  (II)  as  the  first  n 
functions  match  the  first  n  bits  by  induction  and  the  last  function  matches  the 
last  bit  1  by  the  argument  above.  If  Z  £  /Cm,  then  l  (jL  Jm ,  and  at  least  one  of 
fh  f 2,  ■■  ■  ,fn  doesn’t  match  the  value  of  the  corresponding  bit.  Thus  condition 
(III)  is  also  satisfied  by  K.m. 

On  the  other  hand,  if  ft®+1  =  1  and  pn+i  =  1,  then  this  implies  that  ft°+1  = 
0.  We  choose  K,m  =  {I  €  Jm  \  fn+\(t)  =  1}  to  satisfy  condition  (II).  /Cm  is 
non  empty,  since  there  exist  at  least  one  l  £  Jm  such  that  fn+ 1(0  —  1,  due  to 
ft°+i  =  0.  For  l  ^  /Cm,  if  Z  e  Jm ,  then  fn+i(Z)  ^  1.  Otherwise,  Z  qL  Jm ,  and 
inductive  hypothesis  gives  us  at  least  one  fc,l  <  i  <  n  such  that  /) ( I)  u,. 
Thus  KLm  also  satisfies  condition  (III). 

Case  2:  vn+\  =  0. 

Since  vn+\  =  ftra+i(p)  =  ft^ ,  1  V  pn+i  •  ft®  +  i,  we  have  ft*+1  =  0  and  either 
ft®+i  =  0  or  pn+ 1  =  0.  Thus,  we  have  two  sub  cases  to  consider.  If  ft®+1  =  0, 
then  ft°+1  =  1,  so  Vt  €  Jm.fn+ i(t)  =  0.  In  this  case,  ICm  =  Jm  and  K,m  is  non 
empty  since  Jm  is.  /Cm  also  satisfies  condition  (II)  as  the  first  n  functions  match 
the  first  n  bits  by  induction  and  the  last  function  matches  the  last  bit  1  by  the 
argument  above.  If  Z+  /Cm,  then  Z  ^  Jm ,  and  at  least  one  of  ,  /„ 

doesn’t  match  the  value  of  the  corresponding  bit.  Thus  condition  (III)  is  also 
satisfied  by  JCm. 

On  the  other  hand,  if  ft®+1  =  1,  then  pn+\  =  0  and  we  choose  K.m  =  {t  £ 
Jm  |  /n+i  (i)  =  0}  to  satisfy  condition  (II).  /Cm  is  non  empty,  since  there  exist 
at  least  one  Z  €  Jm  such  that  fn+i(Z)  =  0,  due  to  ft*+1  =  0.  For  Z  £  /Cm, 
if  Z  £  Jm ,  then  /„++)  ^  0.  Otherwise,  Z  ^  Jm,  and  inductive  hypothesis 
gives  us  at  least  one  fi,l  <  i  <  n  such  that  /+)  ^  V{.  Thus  /Cm  also  satisfies 
condition  (III). 

Therefore,  in  both  cases,  we  have  found  a  Jm  with  the  desired  properties. 

Hence,  by  the  induction  principle,  we  can  always  provide  a  Jm  such  that 
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Vi  £  Jm-f(i)  =  v-  We  can  choose  any  t  from  Jm.  Therefore,  v  £  X,  hence 

y  CX.  QED. 

9  Conclusion  and  Future  Work 

The  paper  presents  a  SAT-based  reparameterization  algorithm,  which  allows  to 
perform  symbolic  simulation  much  faster  than  using  BDDs.  The  method  uses  an 
unwinding  of  the  transition  relation  and  thus  is  comparable  to  BMC.  However, 
the  reparameterization  step,  which  is  done  when  the  equation  becomes  too  big, 
allows  makes  it  possible  to  go  much  deeper  into  the  transition  system  than  what 
BMC  without  reparameterization  can  do.  The  reparameterization  algorithm 
captures  a  small,  symbolic  representation  of  the  states  that  are  reachable  with 
exactly  k  steps.  Using  this  representation  as  new  initial  state  predicate,  the 
algorithm  starts  over. 

The  algorithm  is  incomplete  in  that  it  is  unable  to  prove  the  property  to 
be  correct.  However,  so  is  BMC,  and  the  presented  algorithm  can  be  used  as  a 
replacement  for  BMC  within  most  methods  that  make  BMC  complete,  such  as 
counterexample  guided  abstraction  refinement. 

In  the  future,  we  want  to  evaluate  the  performance  improvements  obtain¬ 
able  by  using  the  algorithm  as  replacement  for  BMC  in  this  setting.  In  par¬ 
ticular,  we  would  like  to  investigate  how  to  extract  proofs  of  unsatisfiability  or 
interpolation-based  proofs. 
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